b'                                        January 10, 2007\n\n\n\n\nMEMORANDUM TO:            Luis A. Reyes\n                          Executive Director for Operations\n\n                          Jesse L. Funches\n                          Chief Financial Officer\n\n\n\nFROM:                     Stephen D. Dingbaum /RA/\n                          Assistant Inspector General for Audits\n\n\nSUBJECT:                  MEMORANDUM REPORT \xe2\x80\x93 REVIEW OF NRC\xe2\x80\x99S\n                          IMPLEMENTATION OF THE FEDERAL MANAGERS\xe2\x80\x99\n                          FINANCIAL INTEGRITY ACT FOR FISCAL YEAR 2006\n                          (OIG-07-A-07)\n\n\n\nThis report reflects the Office of the Inspector General\xe2\x80\x99s (OIG) assessment of the\nNuclear Regulatory Commission\xe2\x80\x99s (NRC) FY 2006 compliance with the Federal\nManagers\xe2\x80\x99 Financial Integrity Act (FMFIA) of 1982. We found that NRC complied with\nthe FMFIA, except for the following material weaknesses associated with:\n\n      \xe2\x99\xa6 The Federal Information Security Management Act\n        \xe2\x80\xa2 Lack of current certification and accreditation for the agency\xe2\x80\x99s information\n           system security program,\n        \xe2\x80\xa2 Lack of contingency plan testing for the agency\xe2\x80\x99s information system\n           security program, and\n      \xe2\x99\xa6 NRC\xe2\x80\x99s Fee Billing System.\n\nThis report contains no recommendations because the material weaknesses and the\nassociated audit recommendations are included in the OIG report, Results of the Audit\nof the United States Nuclear Regulatory Commission\xe2\x80\x99s Financial Statements for Fiscal\nYears 2006 and 2005, report number OIG-07-A-02, dated November 9, 2006.\n\x0cBACKGROUND\n\nThe FMFIA was enacted on September 8, 1982, in response to continuing disclosures\nof waste, loss, unauthorized use, and misappropriation of funds or assets associated\nwith weak internal controls and accounting systems. Congress felt such abuses\nhampered the effectiveness and accountability of the Federal Government and eroded\nthe public\xe2\x80\x99s confidence. The FMFIA requires Federal managers to establish a\ncontinuous process for evaluating, improving, and reporting on the internal controls and\naccounting systems for which they are responsible.\n\nThe FMFIA requires that, each year, the head of each executive agency (subject to the\nFMFIA) shall submit a report to the President and the Congress on the status of control\nand financial systems that protect the integrity of agency programs and administrative\nactivities. NRC incorporates its FMFIA assessment and report in its annual\nPerformance and Accountability Report.\n\nEffective for FY 2006, Office of Management and Budget Circular A-123, Management\xe2\x80\x99s\nResponsibility for Internal Control, (OMB Circular A-123), revised in December 2004,\nrequires that management provide a separate assurance statement relating to internal\ncontrol over financial reporting. In addition, OMB Circular A-123 requires that significant\ndeficiencies identified under the Federal Information Security Management Act be\nreported as material weaknesses in the annual FMFIA report.\n\n\nRESULTS\n\nThe Chairman and the Inspector General reported different results on the agency\xe2\x80\x99s\nFY 2006 compliance with the FMFIA as explained below.\n\n       Federal Information Security Management Act\n\n          Both the Chairman and the Inspector General identified material weaknesses\n          related to the lack of current certification and accreditation for the agency\xe2\x80\x99s\n          information system security program, and the lack of contingency plan testing\n          for the agency\xe2\x80\x99s information system security program.\n\n       Fee Billing System\n\n          The Chairman categorized the Fee Billing System as follows:\n\n          \xe2\x99\xa6 A non-conformance in NRC\xe2\x80\x99s internal control over the efficiency and\n            effectiveness of operations and compliance with applicable laws and\n            regulations, and\n          \xe2\x99\xa6 Not as a material weakness in internal control over financial reporting.\n\n\n\n\n                                             2\n\x0c           The Inspector General identified the issues related to the agency\xe2\x80\x99s Fee Billing\n           System as a continuing material weakness.\n\n       Chairman\xe2\x80\x99s Criteria and Results\n\nOMB Circular A-123 is the agency\xe2\x80\x99s implementing guidance for FMFIA. It states that\nmaterial weaknesses are \xe2\x80\x9cReportable conditions which the agency head determines to\nbe significant enough to be reported outside the agency.\xe2\x80\x9d Material weaknesses shall be\nincluded in the annual FMFIA assurance statement and reported in the agency\xe2\x80\x99s annual\nPerformance and Accountability Report. The term \xe2\x80\x9cinternal controls,\xe2\x80\x9d as envisioned by\nthe FMFIA encompasses accounting and administrative controls, which include\nprogram, operational and administrative areas as well as accounting and financial\nmanagement. Further, OMB Circular A-123, Appendix A, Internal Control Over\nFinancial Reporting, states that, with respect to internal control over financial reporting,\na material weakness is a \xe2\x80\x9creportable condition, or combination of reportable conditions,\nthat results in more than a remote likelihood that a material misstatement of the financial\nstatements, or other significant financial reports, will not be prevented or detected.\xe2\x80\x9d\n\nUsing this criteria, the Chairman, in the FY 2006 Performance and Accountability\nReport, provided a qualified statement of assurance that the internal controls and\nfinancial management systems meet the objectives of FMFIA, with the exception of two\nmaterial weaknesses related to NRC\xe2\x80\x99s information system security program and one\nnon-conformance concerning the Fee Billing System.\n\nWith respect to OMB Circular A-123, Appendix A, the Chairman provided reasonable\nassurance that the agency\xe2\x80\x99s internal control over financial reporting as of\nJune 30, 2006, was operating effectively and no material weaknesses were found in the\ndesign or operation of internal control over financial reporting.\n\n       Inspector General\xe2\x80\x99s Criteria and Results\n\nOMB Bulletin No. 06-031, Audit Requirements for Federal Financial Statements, dated\nAugust 23, 2006, provides the criteria used by the Inspector General. Section 2.11 of\nthe Attachment to the Bulletin states:\n\n       \xe2\x80\x9cMaterial weaknesses in internal control\xe2\x80\x9d are reportable conditions in\n       which the design or operation of the internal control does not reduce to a\n       relatively low level the risk that errors, fraud or noncompliance in amounts\n       that would be material in relation to the Basic Statements or Required\n       Supplementary Stewardship Information being audited, or material to a\n       performance measure or aggregation of related performance measures,\n       may occur and not be detected within a timely period by employees in the\n       normal course of performing their assigned functions. The auditor shall\n       use this definition of material weaknesses to report on an entity\xe2\x80\x99s internal\n\n1\n OMB Bulletin 06-03 supersedes OMB Bulletin 01-02, Audit Requirements for Federal Financial\nStatements.\n\n\n                                                 3\n\x0c       control in accordance with the requirements of U.S. Government Auditing\n       Standards and this bulletin, rather than the definition of material\n       weaknesses used by management to prepare an agency\xe2\x80\x99s FMFIA report.\n\nThe Inspector General applied the aforementioned criteria and found that, for FY 2006,\nthe NRC complied with the provisions of the FMFIA, except for the following material\nweaknesses associated with:\n\n       \xe2\x99\xa6 The Federal Information Security Management Act:\n         \xe2\x80\xa2 Lack of current certification and accreditation for the agency\xe2\x80\x99s information\n            system security program,\n         \xe2\x80\xa2 Lack of contingency plan testing for the agency\xe2\x80\x99s information system\n            security program, and\n       \xe2\x99\xa6 NRC\xe2\x80\x99s Fee Billing System.\n\n\nAGENCY COMMENTS\n\nA draft of the report was shared with NRC management. The Office of the Executive\nDirector for Operations and the Office of the Chief Financial Officer had a minor editorial\ncomment which was incorporated into this report.\n\n\nSCOPE/CONTRIBUTORS\n\nWe evaluated the internal control related to the NRC\xe2\x80\x99s implementation of the FMFIA for\nFY 2006, and conducted our work in December 2006, in accordance with Generally\nAccepted Government Auditing Standards. This audit was conducted by Kathleen\nStetson, Audit Manager.\n\nIf you have any questions, please contact me at 415-5915 or Steven Zane at 415-5912.\n\n\ncc:    Chairman Klein\n       Commissioner McGaffigan\n       Commissioner Merrifield\n       Commissioner Jaczko\n       Commissioner Lyons\n       M. Johnson, OEDO\n       M. Malloy, OEDO\n       P. Tressler, OEDO\n\n\n\n\n                                             4\n\x0c'